Putting expensive locks on your doors helps secure your home. But what if you start giving away the keys? First, you give a set to your family and close friends, then the babysitter, then the maintenance worker, and so on. As the homeowner, you expect these third parties to treat those keys with the same sense of security as you do.
There are other third parties that matter to your home as well. Pest control, plumbers, road maintenance, security guards, delivery workers, and many more. They know where your home is, but you are willing to give them the address to outsource key tasks you don’t want to do yourself. These people too must be trusted.
Oh, and don’t forget about the vendors in use by your third parties, sometimes called 4th parties, subcontractors, or subprocessors.
Though from a flawless analogy, the general concept holds true: Do you know if your vendors (and their vendors) are safe to do business with?
According to Deloitte’s 2019 Global Survey on Third-Party Governance and Risk Management, 83% of organizations have experienced a third-party related incident in the last three years, with nearly 11% having a severe impact on the business. As for fourth parties? Just 2% of organizations claim to assess and monitor all fourth parties.
Enterprises have increased their dependence on third-party products and services for a competitive edge. But this broadens the attack surface, making it imperative to invest in third-party or vendor risk management solutions. This need is further solidified with increasing data collection, recent market volatility, and regulations like GDPR, CCPA, LGPD, PIPEDA, HIPAA, etc.
In the extended enterprise, the security of your data and systems is not entirely in your control. That’s why it is critical to assess and mitigate the risks posed by your entire supply chain.
Third-Party and Vendor Data Breaches in 2019
Need more convincing that it’s time to invest in your third-party risk management program? Here’s a quick glance at some of the most noteworthy vendor data breaches of 2019:
Major Social Media Company
#1 Data Breach:
- A Mexico-based media company exposed 146 GB of user data containing over 540 million records.
- The leaked data included details of users’ comments, likes, reactions, account name, ID, and other sensitive information.
#2 Data Breach:
- An integrated third-party app exposed plaintext (i.e. unprotected) passwords of 22,000 users.
- It was found to be exposed to the public internet via an unprotected web server.
- The exposed database contained information such as user id, user name, interests, events, groups, and more.
Major American Billing Service Provider
- A U.S. based medical billing service provider, fell victim to a data breach that lasted for over seven months from August 1, 2018 until March 30, 2019.
- Approximately 20 million U.S. citizens were affected by this data breach.
- The data breach included credit card numbers, bank account information, and even social security numbers of the patients.
- Its corporate clients terminated its services forcing the company to file for Chapter 11 bankruptcy protection.
Major Delivery Service
- On May 4, 2019, an on-demand food delivery service reported unauthorized third-party access to information on 4.9 million people.
- The type of user data accessed included names, email addresses, delivery addresses, order history, phone numbers, as well as hashed passwords — a cipher mechanism was used to hide the actual password from third parties.
- Approximately 100,000 drivers’ license numbers of the delivery services provider’s users were also accessed.
The Challenges of Modern Vendor Risk Management
Third-party and vendor risk management is a growing concern among board-level stakeholders. Many organizations have difficulty streamlining and adequately managing their vendor risks because of silos that exist internally, as well as a lack of systematic processes throughout the organization. This impacts the bottom line by slowing down innovation and supplier onboarding, while also causing undue risk (and sometimes even extravagant spending).
Third-party and vendor risk management is moving towards automated technology solutions, yet, a considerable number of vendor risk management programs are still being handled across spreadsheets and multiple systems. A decentralized and fragmented vendor risk management process makes it difficult for any company or organization to keep track of its vendors and poses a burnout-inducing project on already overwhelmed resources.
Keeping this in mind, let’s examine some of the best practices and risk mitigation steps in vendor management.
Best Practices in Vendor Risk Management Lifecycle
- Evaluate: Regular audits and assessments of all vendors should be conducted to evaluate whether they are aligned to the compliance, security, and privacy standards relevant to your organization.
- Monitor: Actively monitor risks and performance of all third and 4th parties with whom you share this information.
- Control: Control what you share. Avoid giving unnecessary access to vendors. Instead, only share what is required to avoid loss of sensitive data even in case of a data breach.
- Review: Periodically review your vendor management policies and programs to address the latest industry standards, framework, or regulatory updates.
- Notify: Include a clause in your business agreement that makes it mandatory for the third-party to provide notification whenever any form of your proprietary, intellectual, or customer data is shared with others (4th parties) and/or when fourth parties change.
- Collaborate: Ensure the onboarding and involvement of all stakeholders in the vendor risk management process. Collaborate, because the implementation and success of your vendor management depend on every stakeholder’s involvement.
A centralized technology or a vendor risk management platform enables companies to track their vendors effectively and efficiently, while advanced risk analytics empowers them with the intelligence required to identify a suitable set of vendors to do business with.
Your company’s risk management program shouldn’t be limited to only securing its own IT infrastructure but also include its third and Nth-party vendor risk management. Cybercriminals are aware that larger enterprises implement the best suited IT security measures to safeguard their data and business periphery. Thus, they have now shifted focus from the main target to its ancillaries – your vendors. Fragile third-party vendors can act as a backdoor to larger enterprises’ data.
About OneTrust Vendorpedia
The OneTrust Vendorpedia platform is purpose-built to identify, assess, analyze, mitigate, and monitor vendor risks and performance. The platform offers three key solutions to help third-party risk teams:
- Cyber Risk Exchange: Research vendors and monitor performance with a research database and pre-completed assessments
- Vendor Chasing Services™: Enlist a Vendorpedia agent to perform vendor risk assessments on your behalf
- Third-Party Risk Management: Streamline supplier selection, assessment, mitigation, and approvals with workflow automation, manage the entire vendor risk management lifecycle.